<?php
//Script for handling user authentication and authorization
//if in session, login alr, put into a variable that are accessible for other pages
//if not in session, check whether the user and pass is posted
//if it is posted: save it to session and redirect to index.php
//if not, show the login form

if ($_POST['action'] == 'logout') {
    session_destroy();
    unset($_POST);
    $_SESSION = array();
    $authenticated = False;
    $authorization = False;
    printf("<script>location.href='.';</script>");
}

//user is logged in
if ($_SESSION['username'] != "") {
    $username = $_SESSION['username'];
    $role = $_SESSION['role'];
    $authenticated = True;
    //if the user authorized to view/access the requested page
    $authorized = authorizeUser($role, $_SERVER['SCRIPT_NAME']);
    ?>
    <div class="logout">
        <div class="msg">Welcome,<br /><a href="">User!</a></div>
        <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="logoutForm">
            <input type='hidden' value='logout' name='action' />
            <div><input type="submit" name="btnLogout" value="Log Out" class="button" style="position:absolute;bottom:10px;right:10px;"/></div>
        </form>
    </div>

    <?php
} else {
    //user not login yet
    //user try to login
    if (isset($_POST['userid']) && isset($_POST['password'])) {
        //TO-DO: check whether it's correct or wrong over database
        $username = $_POST['userid'];
        $password = $_POST['password'];
        //TO-DO: validate using javascript first before check the database
        $authenticated_user = authenticateUser($username, $password);
        if ($authenticated_user) {
            $_SESSION['userid'] = $authenticated_user['userid'];
            $_SESSION['username'] = $authenticated_user['username'];
            $_SESSION['role'] = $authenticated_user['role'];
            printf("<script>location.href='" . $_SERVER['PHP_SELF'] . "?login=success';</script>");
        } else {
            printf("<script>location.href='" . $_SERVER['PHP_SELF'] . "?login=failed';</script>");
        }
    } else {
        //user not try to login
        //show the login form
        ?>
        <div class="login">
            <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="loginForm">
                <input type='hidden' value='login' name='action' />
                <table cellspacing="0" cellpadding="0">
                    <tr><td>Student/Staff_ID:</td><td>Password:</td></tr>
                    <tr>
                        <td><input type="text" name="userid" value="" maxlength="16" /></td>
                        <td><input type="password" name="password" value="" maxlength="48" /></td>
                        <td><div><input type="submit" name="btnLogin" value="Log In" class="button" /></div></td>
                    </tr>
                    <tr><td><input type="checkbox" name="keeplogin" value="K" />Keep me login</td></tr>
                </table></form>
        </div>
        <?php
    }//end of show login form
}//end of in session
?>